New in AM 7.5.x

AM 7.5.1

AM 7.5.1 is a maintenance release that introduces functional enhancements and fixes.

New utility script binding

Use the utils binding to base64 encode/decode strings and generate random values and UUIDs in your next-generation scripts.

Learn more in Script bindings.

Backchannel logout token contains `exp` claim

The logout token generated during backchannel logout now contains an exp claim. Learn more in Backchannel logout.

System property for social provider `sub` claim uniqueness

A new system property (org.forgerock.openam.oidc.SocialProvider.sub.claim.is.not.unique) indicates that the OIDC social provider doesn’t return a unique value for the sub claim.

This is false by default.

New `ssoadm` commands update attributes in a realm service

A fix to the deprecated ssoadm tool adds the following new commands:

add-realm-default-attributes
set-realm-default-attributtes
remove-realm-default-attributes
get-realm-default-attributes

These commands work on realm defaults from AM 7 onwards.

AM 7.5

AM 7.5 is a minor release that introduces new features, functional enhancements, and fixes.

Support for storing secrets in secret stores

The following features now support storing their secrets in a secret store instead of in the configuration. For greater security, move these secrets to a secret store when convenient.

Services

Authentication nodes

CAPTCHA node
OIDC ID Token Validator
OTP Email Sender node and OTP SMS Sender node
Persistent Cookie Decision node and Set Persistent Cookie node signing and encryption
Custom authentication node

Agents

Authentication

Authentication signing secret
AM password encryption key
HTTP outbound request authentication password (advanced server setting)
Password capture and replay
Client-side sessions:
- The HMAC signing key
- The am.global.services.session.clientbased.signing mapping is deprecated and replaced by algorithm-specific mappings
- The am.global.services.session.clientbased.encryption mapping is deprecated and replaced by am.global.services.session.clientbased.encryption.RSA and am.global.services.session.clientbased.encryption.AES

SAML v2.0

Remote SP and IDP basic authentication for SOAP-based binding
SP authentication with mTLS for artifact resolve requests

OAuth 2.0

OAuth 2.0 client authentication secrets
OAuth 2.0 client mTLS self-signed certificate
OAuth 2.0 client ID token public encryption key
OAuth 2.0 client JWT bearer public key
OAuth 2.0 provider salting of hashes

In addition, you can now rotate secrets in file system secret volumes.

Learn more in Map and rotate secrets.

Support for mTLS connections

The following services now support certificate-based connections to the backend LDAP store using mTLS:

Configurable affinity for connections to the DS identity repository

The DS identity repository configuration now includes an Affinity Level setting that lets you specify the operations for which AM should use affinity-based load balancing.

In previous AM releases, you configured affinity only with the Affinity Enabled property, so it was either on or off. With Affinity Enabled set to true, ALL operations to the DS repository used affinity. With Affinity Enabled set to false, the equivalent affinity level was NONE (no operations used affinity).

The new setting introduces the BIND level as a middle ground. When you set the affinity level to BIND, only user authentication requests use affinity. This setting provides a small but significant performance improvement in deployments with multiple replicated DS identity stores.

In addition, the LDAP Decision node has been updated with a new property, affinityLevel (NONE, BIND, and ALL). This is separate to the configuration setting.

The Data Store Decision node uses the identity repository configuration. As such, affinity settings configured for the identity repository will impact connections to the DS server made by this node.

Request Header node

The new Request Header node lets customers inject values into shared state based on request header values. You can use the node to get information about a journey or the user from an external system or even customize the branding of a journey.

Learn more in Request Header node.

Scalable OAuth 2.0 clients

The scalable OAuth 2.0 clients feature lets you create and manage large numbers of OAuth 2.0 clients without impacting system performance. Once you have enabled the feature, create clients as usual through dynamic registration or in the AM admin UI, and then use the AM administration OAuth 2.0 client REST endpoint to search for clients and filter and page query results.

Learn more in Scalable OAuth 2.0 clients.

SAML v2.0 NameID mapping configurable on the service provider (SP)

You can now configure NameID mapping on a remote SP. The SP configuration overrides the NameID Value Map on the IDP, letting you define different name requirements for each SP.

Learn more about NameID value mapping in the Remote service provider configuration properties.

Use a tree hook to run actions on journey failure

Override the new acceptFailure method to run actions on journey failure.

Learn more about the TreeHook interface in the Public API Javadoc.

Storing identified identities in the authentication session

The following new methods let you record users and agents verified to exist in an identity store:

org.forgerock.openam.auth.node.api.Action

public ActionBuilder withIdentifiedIdentity(AMIdentity id)
public ActionBuilder withIdentifiedIdentity(String username, IdType id)

org.forgerock.openam.auth.nodes.script.ActionWrapper

public ActionWrapper withIdentifiedAgent(String agentName)
public ActionWrapper withIdentifiedUser(String username)

A new advanced server property, org.forgerock.am.auth.trees.authenticate.identified.identity determines whether AM uses these stored identified identities when deciding which user to log in.

This lets custom nodes and decision node scripts correctly resolve identities that have the same username. For more information, refer to advanced server properties.

Identity Assertion node and Identity Assertion service

The new Identity Assertion node and supporting service lets AM use PingGateway to manage authentication through a third party such as Windows Desktop SSO or Kerberos.

Learn more in Identity Assertion node and Identity Assertion service.

PingOne Protect nodes and PingOne Worker service

The new PingOne Protect nodes and supporting PingOne Worker service let you integrate with PingOne Protect. Leverage risk predictors and route your journeys based on calculated risk scores.

You can add these nodes to your authentication, registration, and self-service journeys to combat account takeover, new account fraud, and MFA fatigue.

Learn more:

Nodes in a Page node log individual audit events

Nodes contained in a Page node now log individual AM-NODE-LOGIN-COMPLETED audit events.

Learn more about audit logging in Audit log events.

PingAM release notes